`withAuthenticationRequired` does not attempt silent token renewal before redirecting to login

[obrassard]

Hello,

We are using withAuthenticationRequired to protect most of the routes in our React applications. We’ve noticed that when a previously authenticated user returns to the app with an expired access token, they are always redirected to the IDP login page, even though a valid refresh token is still available in their local storage.

It seems this behavior is intentional, as the current implementation in withAuthenticationRequired.tsx does not attempt to silently renew the access token before calling signinRedirect.

I would expect the library to try renewing the access token using the refresh token (if available) before prompting the user to log in again explicitly.

Is there a way to achieve this behavior with the current implementation ? If not, could we add an optional prop to withAuthenticationRequired that enables attempting signinSilent before calling signinRedirect?

For reference, this is our current configuration :

const config: AuthProviderProps = {
    authority: import.meta.env.VITE_COGNITO_AUTHORITY,
    client_id: import.meta.env.VITE_COGNITO_CLIENT_ID,
    redirect_uri: import.meta.env.VITE_COGNITO_CALLBACK_URL,
    automaticSilentRenew: true,
    response_type: 'code',
    scope: 'email openid profile',
    userStore: new WebStorageStateStore({ store: window.localStorage }),
    extraQueryParams: {
      lang: getCurrentLanguagePreference(),
    },
    onSigninCallback: () => {
      ...
    },
  };

[koshieguchi]

@pamapa
Hello!

Thank you for maintaining this amazing library! We’re running into the same issue—when the access token expires, the app always redirects to the login page even though a valid refresh token remains in local storage.

Would you consider adding an optional prop to withAuthenticationRequired that first attempts signinSilent (if a refresh token is available) before falling back to signinRedirect?

Thanks in advance for your time and help!

(FYI, this issue is also related to #1209)

[obrassard]

Has a workaround you can define your own version of withAuthenticationRequired and use it instead of the one exported from the library.

Although it sure would be simple if this was an optional prop in the library !

import type { SigninRedirectArgs } from 'oidc-client-ts';
import React from 'react';
import { hasAuthParams, useAuth } from 'react-oidc-context';

/**
 * @public
 */
export interface WithAuthenticationRequiredProps {
  /**
   * Show a message when redirected to the signin page.
   */
  OnRedirecting?: () => React.JSX.Element;

  /**
   * Allows executing logic before the user is redirected to the signin page.
   */
  onBeforeSignin?: () => Promise<void> | void;

  /**
   * Pass additional signin redirect arguments.
   */
  signinRedirectArgs?: SigninRedirectArgs;
}

/**
 * A public higher-order component to protect accessing not public content. When you wrap your components in this higher-order
 * component and an anonymous user visits your component, they will be redirected to the login page; after logging in, they
 * will return to the page from which they were redirected.
 *
 * @public
 */
export const withAuthenticationRequired = <P extends object>(
  Component: React.ComponentType<P>,
  options: WithAuthenticationRequiredProps = {},
): React.FC<P> => {
  const { OnRedirecting = (): React.JSX.Element => <></>, onBeforeSignin, signinRedirectArgs } = options;
  const displayName = `withAuthenticationRequired(${Component.displayName || Component.name})`;
  const C: React.FC<P> = (props) => {
    const auth = useAuth();

    React.useEffect(() => {
      if (hasAuthParams() || auth.isLoading || auth.activeNavigator || auth.isAuthenticated) {
        return;
      }
      void (async (): Promise<void> => {
        if (onBeforeSignin) await onBeforeSignin();
        const user = await auth.signinSilent();
        if (user === null) {
          await auth.signinRedirect(signinRedirectArgs);
        }
      })();
    }, [auth.isLoading, auth.isAuthenticated, auth]);

    return auth.isAuthenticated ? <Component {...props} /> : OnRedirecting();
  };

  C.displayName = displayName;

  return C;
};